Cyber Resilience

CVE-2022-39311

CriticalRCE

Published: 14 October 2022

Published
14 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0947 93.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39311 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Thoughtworks Gocd. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GoCD versions prior to 21.1.0 contain a remote code execution vulnerability in the server component that stems from exposure of a Spring RemoteInvocation endpoint used for agent communication. The endpoint permitted deserialization of arbitrary Java objects, directly enabling code execution on the server. The affected software is the open-source GoCD continuous delivery server, and the issue is tracked under CWE-502.

An attacker who obtains agent-level authentication can exploit the flaw by sending a malicious serialized object. Practical attack paths include compromising an existing build agent, intercepting its network traffic, or successfully registering a new malicious agent with the server. Successful exploitation grants the attacker full remote code execution with the privileges of the GoCD server process.

The official GoCD security advisory and release notes state that the vulnerability is resolved in version 21.1.0. The fix is implemented in commit 7b88b70d6f7f429562d5cab49a80ea856e34cdc8, and the project reports no known workarounds for earlier releases. The EPSS score has remained flat at 0.0947 with no material increase after disclosure.

EU & UK References

Vulnerability details

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised…

more

agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thoughtworks
gocd
≤ 21.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References